Sign up to receive our free Tech e-newsletter and get the latest tech news, Hot Sites & more in your inbox.

E-mail:

Select one:
HTML
Text

LexisNexis may have had earlier breach

By Erica Werner, Associated Press

WASHINGTON  A LexisNexis executive said Wednesday there may have been an earlier breach of consumers' personal data that was never reported to the public.

The disclosure at a Senate hearing came a day after London-based Reed Elsevier, which owns LexisNexis, revealed that criminals may have breached computer files containing the personal information of 310,000 people since January 2003. That in itself was a tenfold increase over the 32,000 people the company said in March were put at risk. The company said the fraud involved the improper use of IDs and passwords.

"I believe there may have been a security breach in LexisNexis prior to 2003 that involved personal data and we did not make notice," Kurt Sanford, LexisNexis' president and chief executive for U.S. corporate and federal markets, said in response to questioning at a Senate Judiciary Committee hearing.

Sanford gave no details. LexisNexis spokesman Sean C. McCabe said later that Sanford was referring to more than one past breach, but he could provide no information about how many there were, when they took place or how serious they were.

"It's unclear if any sensitive information was accessed, or if any consumers were impacted," McCabe said in an interview.

Sanford's disclosure Wednesday came in response to questioning by Sen. Dianne Feinstein, D-Calif., about whether companies that sell consumers' personal data may have had security breaches prior to 2003 that they didn't disclose.

A California law took effect in 2003 that required such notification. That law, the only one like it in the nation, forced ChoicePoint Inc. to make a recent disclosure about a security breach involving 145,000 Americans. ChoicePoint has also recently acknowledged a data breach in 2002 that it never disclosed at the time.

The string of recent data breaches has drawn national attention to the loosely regulated companies that collect information on consumers — from Social Security numbers to medical records — and sell it to insurance companies, prospective employers, law enforcement agencies and others.

Feinstein supports requiring companies in all states to notify consumers of data breaches. She and other senators called Wednesday for a federal crackdown on the industry.

"I believe that there will be some very firm federal legislation coming out of this issue," said Senate Judiciary Committee Chairman Arlen Specter, R-Pa. "There has been limited governmental response. ... It is my conclusion that we do need federal legislation, that there needs to be uniformity as we approach an enormous problem of this sort."

Specter said he would be submitting draft legislation to the Federal Trade Commission for review, but a spokesman said later that details of the bill were still being worked out.

Sanford and executives from ChoicePoint and Acxiom Corp. said Wednesday they would support a federal rule requiring notification of consumers in the event of data breaches.

But Sanford and Acxiom chief privacy officer Jennifer Barrett made clear in written testimony that they would support such notification only in cases where the security breach put consumers at risk of identity theft or fraud. Federal Trade Commission Chairwoman Deborah Platt Majoras took the same position.

Feinstein questioned how companies could determine when the release of personal information was risky or not.

Another sticking point is whether states would be allowed to set stricter standards for privacy breach notification than the federal government establishes.

Vermont Attorney General William H. Sorrell, president of the National Association of Attorneys General, testified that states should have that right. But several senators and the data companies said that would be unwieldy.

Copyright 2005 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.